Configuring Microsoft ISA Server 2006 Web Proxy to Prompt Authenticated Users
When the ISA firewall is configured as a forward proxy server, the web proxy listener is configured to use integrated authentication by default.
A web proxy client makes its initial request anonymously. If there are no policies allowing anonymous access to the requested destination, the ISA firewall responds with a challenge for authentication in the form of an HTTP 407 response (proxy authentication required).
The client then resubmits the request, this time providing credentials to the firewall. This transaction is completely transparent to the end user. The credentials supplied to the ISA firewall are that of the current logged on user. If the user does not have permission, the ISA firewall denies the request without prompting. This behavior is by design.
There are situations in which this behavior is not desirable. Recently I was working with a customer who had workstations configured to log on automatically with a non-privileged domain service account. These workstations were used to access a web-based application on the local intranet. There are times when privileged users will need access to the Internet from these systems, but they will need to do so without logging the service account off. To meet these requirements we needed to configure the ISA firewall to prompt authenticated users for credentials if they are initially denied access.
Making this change required setting the value of the ReturnAuthRequiredIfAuthUserDenied property of the web proxy listener to ‘true’. When configured, the ISA firewall will prompt authenticated users for credentials when they are denied access. This change cannot be made via the management console; it can only be configured programmatically. The MSDN reference for this property contains a VBScript that is used for changing this setting, or you can download the script here. Run the script from the command line on the ISA firewall with the argument ‘true’ to enable prompting for authenticated users who are denied access and ‘false’ to disable it.
For example…
ReturnAuthRequiredIfAuthUserDenied.vbs true
…enables the prompting of authenticated users who are denied access, and…
ReturnAuthRequiredIfAuthUserDenied.vbs false
…disables it.
Connect
Richard Hicks' Forefront TMG Blog 
Excellent article Rich!
Great feature, Richard!
I was looking for such mechanism something about a half of year 😉
Excellent Info – Thx for running your blog!
Maybe it´s worth to mention that the script keeps looking for ISA-networks with the property network.NetworkType == 4 (const describing the Internal Network) and changes the option only for this network. Do know if “network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied” works only for the http-Proxy-Listener or does it affect also your own Listeners on that network (e.g. for publishing your http Apps in another DMZ) ? Can this be change on a per-listener-basis ?
rgds
Robert
Excellent point, Robert. The script makes this property change only for web listeners configured on the default Internal network object. I don’t believe there is a distinction being made between the web proxy listener and another user-defined web listener. You certainly could alter this script to make this change on a specific listener on the Internal network, or to make the change on network objects other than the Internal network.
Excellent info. Describes exactly what I was looking for.
Awesome. Glad you found the information useful! 🙂
can i use the same script for TMG 2010
Absolutely. The scripts works on Forefront TMG 2010 and ISA Server as well.
It is necessary to restrict access to Internet content filtering proxy server enable content filtering in the process of access to the Internet. This type of server is used in schools to prevent objectionable sites, and in some cases, companies limit the sites, porn sites, and even social networking sites.
Absolutely. With Forefront TMG 2010 integrated URL filtering capabilities you can deny access to the “Anonymizers” category which will prevent users from using anonymous public proxies.
Hello, Great article and right up the alley I’ve been investigating about random NTCR (challenge/response) forms. Is there an option for this command that will query the curent condition without changing it from true or false? This would be similar to a powershell Get- verb. Thankss
Not to my knowledge.
I am running ISA2004 EE in a 2 server array. Do I run this script on both servers or just the one configured as the Configuration Storage Server? Also, must I restart the FW service for this change to take effect? Is there any way to view the current value of this property? Thank you very much.
You’ll run the script once on one server that is a member of the array that you want this change to apply to. I do believe that the firewall service has to be restarted in order for this change to take effect. I’m sure you could modify the script to simply display the value of the property for this object as opposed to setting it to true or false.
This used to work for me, but one day recently my users started getting the authentication pop ups again. Ive ran the script multiple times to ensure the setting is set to False, and restarted the server. Not sure what’s gong on.
Is basic authentication enabled? You’ll still get authentication pop-ups if basic authentication is enabled.